Publication
ASIC issues updated regulatory guide on carbon markets
Following a consultation earlier this year, last month the Australian Securities and Investments Commission (ASIC) updated regulatory guide RG 236.
Thailand | Publication | July 2022
The PDPA has some key definitions which are similar to data protection laws elsewhere:
On 11 January 2022, the Personal Data Protection Committee (Committee), a regulator under the PDPA, was formed.
The Committee is authorized under the PDPA to set up a master plan for the promotion and protection of the Personal Data; prescribe measures, criteria and guidelines for business operators to comply with, and issue subordinated regulations and rules under the PDPA.
Organizations outside Thailand who collect, use or disclose Personal Data collected from individuals in Thailand (whether or not those individuals are Thai citizens) may be subject to the PDPA if such organization engages in the following activities:
In addition, a Data Controller or the Data Processor who is located outside Thailand and subject to the PDPA above will also be required to appoint a representative in Thailand and in writing (who can either be an individual or a legal person) to act on behalf of the Data Controller itself without any limitation of liability in respect of the collection, usage or disclosure of the Personal Data according to the purposes of the Data Controller as specified in the privacy policy, or to act on behalf of the Data Processor itself without any limitation of liability in respect of the collection, usage or disclosure of the Personal Data by the Data Processor in compliance with the orders of the Data Controller or on behalf of the Data Controller. However, the appointment of such a representative will not be required if the Data Controller or Data Processor:
Specific consent is required from the data subject, in writing or via electronic means, prior to or at the time of collection, use or disclosure of Personal Data, unless one of the prescribed exceptions applies. A data subject may at any time revoke his/her consent, unless there is a restriction by the law or under a contract on revoking such consent.
Collection of Personal Data must be for a lawful purpose and be directly relevant to, and necessary for, the activities of the Data Controller. The Data Controller must inform the data subject, prior to or at the time the Personal Data is collected, of the following details, except where the data subject already knows of such details:
Except under limited circumstances prescribed under the PDPA, typically, Personal Data must be collected directly from the data subject. Also, the collection of Sensitive Personal Data is prohibited, without the explicit consent from the data subject, except under limited circumstances as set out under the PDPA. For instance, collection of Sensitive Personal Data is permitted (without the explicit consent from the data subject) to protect or prevent harm to a person’s life, body or health where the data subject is incapable of giving consent by whatever reason.
In the event that the Data Controller sends or transfers Personal Data to a foreign country, the destination country or international organization that receives such Personal Data must have an adequate data protection standard in accordance with the rules for the protection of Personal Data as prescribed by the Committee, except in the following circumstances:
Under the PDPA, a data subject has certain rights as follows:
A data protection officer (DPO) is required to be appointed by the Data Controller, the Data Processor or the representative of the Data Controller or the Data Processor (in the event that such Data Controller or the Data Processor is required to appoint a representative in Thailand as explained above) in the following cases:
Failure to comply with the PDPA could result in civil liabilities, criminal penalties or administrative fines.
The Data Controller may continue to use Personal Data collected prior to the date that the PDPA comes into force, provided that:
Four subordinated regulations (Regulations) issued under the PDPA took effect on 21 June 2022. The Regulations consists of the following:
It is anticipated that further subordinated regulations of the PDPA will soon be issued by the Committee.
Even though, at present, there are only four subordinated regulations issued under the PDPA, once the other subordinated regulations or rules have been issued, Data Controllers and the Data Processors subject to the PDPA should monitor such subordinated regulations and review their privacy policy and procedures to determine if any change must be implemented.
Publication
Following a consultation earlier this year, last month the Australian Securities and Investments Commission (ASIC) updated regulatory guide RG 236.
Publication
Australia has legislated targets to reduce net greenhouse gas (GHG) emissions to 43% below 2005 levels by 2030.
Publication
In a stunning, but not unexpected, case for all who follow the False Claims Act (FCA), a federal judge in the Middle District of Florida ruled that the qui tam component of the FCA is unconstitutional.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023